18岁末年禁止观看试看一分钟

1.0 Intelligent Campus Network Solution 2.0 IDC Data Center Network Solution 3.0 Enterprise Cloud Solutions 4.0 Overall Information Security Solution 5.0 Smart Wireless Total Solution 6.0 HD Video Conference Solution 7.0 IDC Computer Room Construction Solution 8.0 Intelligent Weak Current Solution 9.0 Intelligent Building Solution 10.0 Intelligent Management Center Overall Solution
solution

1.0 Intelligent Campus Network Solution

2.0 IDC Data Center Network Solution

3.0 Enterprise Cloud Solutions

4.0 Overall Information Security Solution

5.0 Smart Wireless Total Solution

6.0 HD Video Conference Solution

7.0 IDC Computer Room Construction Solution

8.0 Intelligent Weak Current Solution

9.0 Intelligent Building Solution

10.0 Intelligent Management Center Overall Solution

4.10 Anti-disclosure security management system for electronic documents
4.10 Anti-disclosure security management system for electronic documents
Date: 2018-12-06

Chapter One      Product background

80% 以上已经实现了电子化,在某些特定行业如制造业,金融业,通信行业等数据电子化程度更高。 With the continuous development of the domestic economy, informatization has become an important means for daily office work of enterprises. According to statistics from relevant departments, more than 80% of the company's data has now been electronicized. In some specific industries such as manufacturing and finance, Data such as the communications industry is more electronic. The digitalization of data has brought huge efficiency improvements to enterprises. Compared with paper documents used in the past, the circulation of electronic files is no longer limited by specific transmission channels and transmission efficiency, and can be transmitted through internal networks, public networks and various mobile The convenient use of the storage medium greatly improves the information communication within and outside the enterprise, and reduces the time waste and accuracy caused by information transmission.

LG 公司内部设计资料外泄等事件,均在一定程度上为制造业相关企业敲响了警钟。 However, with the popularity of high-speed networks and the continuous increase in terminal applications, it also poses a more serious threat to the information security of manufacturing enterprises. From the leakage of Foxconn design drawings in recent years to the leakage of internal design data of Samsung and LG in South Korea , To a certain extent, it sounded the alarm for manufacturing-related companies. The rapid development of the network has provided a convenient means for internal information leakage. The continuous enrichment of terminal applications has also brought certain difficulties to the internal prevention and control of manufacturing enterprises. Traditional security control methods such as desktop management, Internet access behavior, and network firewalls have all The internal core data cannot be effectively prevented from leaking out. Therefore, information security must be grasped from the source of the information in order to effectively realize the information life-cycle protection.

Chapter two         An Introduction

2.1     product description

U 盘客户端七个核心组件。 The document security management system is the earliest document encryption and decryption product based on file filtering drive technology in China. The system includes seven core components : transparent encryption, permission management, outbound management, application security gateway, security middleware, smart mobile terminal, and U disk client. .

Mainly through the encryption and protection of electronic documents, to prevent internal employees from leaking and external people to illegally steal core corporate data assets. Windows Linux 系统平台)、智能终端( Android IOS )及各类应用系统( OA 、知识管理、文档管理、项目管理、 PDM 等),根据用户需求可以对电子文档进行自动加密、手动加密和文档细粒度权限控制,对文档的全生命周期进行安全管控,做到事前防御、事中控制、事后审计,帮助企业搭建一套完善的文档防泄密体系。 The protection scope covers terminal computers ( Windows , Linux system platforms), smart terminals ( Android , IOS ) and various application systems ( OA , knowledge management, document management, project management, PDM, etc.), and electronic documents can be automatically processed according to user needs Encryption, manual encryption, and fine-grained permission control of documents, security management of the entire life cycle of documents, pre-defense, in-event control, and post-event auditing, help enterprises build a complete document anti-disclosure system.

2.2     product composition

U 盘客户端七大核心组件,用于对用户电脑终端、移动办公、各类应用系统上的数据,从生产、存储、流程、外发到销毁进行全生命周期保护。 The electronic document security management system includes seven core components : transparent encryption, permission management, outbound management, application security gateway, security middleware, smart mobile terminal, and U disk client. It is used for user computer terminals, mobile office, and various applications. The data on the system is protected from production, storage, process, outbound to destruction for full life cycle protection.

(1) Computer terminal document data security

l   Transparent encryption

Ensure that the user's core data files are consistently encrypted from the time of generation to prevent data security risks to the enterprise due to data producer leaks.

l   authority management

By encrypting and authorizing documents and corresponding roles, you can control the controlled use of documents internally to avoid the risk of disclosure caused by unauthorized use.

l   Outbound management

By encrypting, authorizing, and encapsulating documents, we control the risk of disclosure of documents when they are transmitted and used externally.

(2) Application system data security

l   Application Security Gateway

Through the combination of software and hardware integration to provide security for the application system, the application security gateway can provide application systems with dual protection of security access and data encryption and decryption.

l   Security middleware

Provide encryption and decryption capabilities for application systems in an interface manner, improve the confidentiality of application systems, and ensure data security. WebService 接口,不受协议和网络环境限制,只要应用系统具备二次开发能力,通过调用接口快速完成与第三方应用系统无缝对接。 The security middleware is based on the standard WebService interface, and is not limited by the protocol and network environment. As long as the application system has the secondary development capability, it can quickly complete the seamless connection with third-party application systems by calling the interface.

(3) Mobile office data security

l   USB client

U 盘,合法用户可以根据需要将 U 盘插入任意电脑,即可打开和使用加密文档,无需连网加密服务器,无需携带办公电脑,主要适用于员工回家加班、出差等情况。 The transparent encryption client is embedded in the U disk. Legal users can insert the U disk into any computer as needed to open and use encrypted files. There is no need to connect to an encrypted server and no office computer. It is mainly suitable for employees who go home to work overtime and travel And so on.

l   Intelligent mobile terminal

APP 安全服务,保证通过移动设备下载到客户端的加密数据可以正常查看,脱离受控范围无法使用。 Provide exclusive APP security services for smart mobile devices to ensure that encrypted data downloaded to the client through the mobile device can be viewed normally and cannot be used outside the controlled area. This module is generally used with transparent encryption, application security gateway or security middleware.

2.3     Solution architecture


l   Service-Terminal

The core of the entire encryption software is a centralized management server to support the overall system's security policy management, user management, system configuration, terminal management, policy management, key management, and system log and audit management.

For different types of terminal documents, unified support and management are implemented through terminal encryption and specific application permission management. The interaction with the client control software deployed by the terminal is used to complete the identification of terminal users and the addition of different types of terminal electronic documents. Decryption control, user rights control, file outbound, off-line terminal (terminal computer that cannot temporarily connect to the server) control, and terminal encrypted document operation log recovery.

For the use of encryption software, the operator identity authentication is completed through the member authentication system interface management. MS-AD 域、 LDAP 等标准准统一认证体系提供集成手段,以完成使用用户身份识别能力;从而满足系统使用用户身份识别能力的要求。 In the absence of other authentication systems, this system will provide a self-built user authentication support system, which is used to manage the user's identity-related information such as user registration, system roles, organizations, security policy groups, and provide operating status Dynamic authentication support services; at the same time, the member authentication system interface management also provides integrated means for standard quasi-uniform authentication systems such as MS-AD domains and LDAP to complete the use of user identification capabilities; thereby meeting the system's requirements for user identification capabilities.

The system self-management function is supported by system configuration management. It mainly provides management channels for the system console, part of the system's internal information report query, and part of the system's early warning function configuration. At the same time, if other systems need to perform management functions of the system Unattended configuration can also be achieved through the configuration interface management and configuration extension management of this system, which is also based on system configuration management.

l   / 安全中间件 Application Security Gateway / Security Middleware

The application security gateway and security middleware mainly integrate seamlessly with third-party application systems to achieve application system data security protection.

TCP/IP 协议,数据加解密支持标准 HTTP 协议、 FTP 协议。 Application security gateway can provide application system with application security admission control, data encryption and decryption capabilities, support bypass deployment, serial deployment (bridge connection), application security admission support standard TCP / IP protocol, data encryption and decryption support standard HTTP protocol, FTP protocol.

Security middleware can provide application systems with encryption and decryption capabilities, process approval capabilities, and is not limited by protocols and network environments. As long as the application system has secondary development capabilities, it can quickly complete seamless integration with third-party application systems by calling interfaces.

l   Client

/ 签出,用户对应策略获取和执行等等)以及跟踪和预警控制(什么用户在什么时间对什么文件做了什么,哪些属于风险动作需要进行系统预警报告)。 Client control software is a necessary module group for file encryption system to perform system functions. It mainly undertakes file encryption and decryption execution, terminal application control (save, clipboard, print, screen capture, etc.), terminal security policy control ( User check-in / check-out, user corresponding policy acquisition and execution, etc.) and tracking and early-warning control (what user did what file at what time and what file, and which are risky actions require system warning report).

The client communicates with the policy centralized management server through network data exchange management, and completes the function operations such as policy acquisition, log reporting, and encryption / decryption key information exchange. This operation uses the terminal's "heartbeat" mode to wake up the communication and data exchange services. The "heartbeat" frequency is configurable.

In the offline state of the terminal, the communication between the client and the server fails, and it will automatically switch to the offline service to support caching to ensure the execution of related business functions. When the cache expires, the system decryption function will be fully effective, and the offline use period can be configured and can be passed through multiple This method realizes the delay; when the terminal can connect to the server, the network data exchange resumes, and the off-network log will report itself.

*.DOC WinWord.EXE 来操作),这主要是为了实现加密文档在容许被解密打开的情况下进行应用控制(诸如:另存、打印、剪贴板等等)。 For the files that need to be encrypted and managed on the terminal, the client control software will mainly manage and control from a combination of two dimensions. One is the file format. This solution uses the driver layer encryption technology (see Encryption and Decryption in the Technical Basics section). Technical description) It can support the encryption and decryption of files in any format. The file format constraint mainly implements the implementation of the encryption and decryption actions themselves. The second is the operation procedure process corresponding to the specific file format (for example: * .DOC is operated by WinWord.EXE ). This is mainly to achieve application control (such as: save, print, clipboard, etc.) of encrypted documents while allowing decryption and opening.

third chapter         Core functions

3.1     Transparent encryption

3.1.1   Transparent encryption

Transparent encryption is an automatic encryption technology (mandatory). The so-called transparency means that the process of document encryption and decryption is imperceptible to users. It is mainly used to solve the many risks of leaking plaintext storage during the production process of user core data files, such as the copy of former employees, loss of mobile storage devices, and network transmission interception.

After the user issues a transparent encryption policy (associated application software processes and the types of files it generates) through the server platform, the client monitors the application's read and write operations (read decryption, write encryption) on the specified type of file in real time according to the policy to achieve the document Real-time dynamic encryption and decryption, after the document is encrypted, it is used transparently in the controlled area (legal users who install the client), and cannot be used outside the controlled environment, thereby effectively solving the risk of data leakage during the production process of user core data files.

3.1.2   Translucent encryption

Translucent encryption is an active encryption technology, which is mainly used to solve the non-mandatory encryption requirements of user documents. As an encryption strategy, semi-transparent encryption can be used independently, or it can be used in combination with transparent encryption strategies according to customer needs to achieve different The department performs encryption on demand, and is compatible with document interaction efficiency while ensuring the security of user core data.

After the user issues a semi-transparent encryption policy (associated application software processes and the types of files it generates) through the server platform, the client monitors the application's read and write operations (read decryption, write encryption) on the specified type of file in real time according to the policy. Differentiate between encrypted documents and ordinary documents. For comprehensive control of encrypted documents, you can set whether to allow saving, copy and paste, screenshots, object insertion, drag and drop, network transmission, etc. For ordinary documents (plain text), you can use them at will without being controlled by encryption. influences.

3.1.3   Full scan encryption and decryption

Full-disk scanning encryption and decryption is a batch encryption or decryption method, which is mainly used for users to process (encrypt) the historical data of computer terminals at one time, or to decrypt terminal data in batches when users change computers and terminal data without encryption protection.

Full-disk scanning encryption and decryption performs full-disk scanning according to the set document type. After the user issues a full-disk scanning policy through the server, the client automatically completes batch encryption or decryption of full-disk documents according to the document type set in the policy.

3.1.4   File access control

File access control is a document security enhancement policy that is mainly used to protect users' important data from malicious deletion.

The file access control policy can prevent illegal deletion of directories, documents, and change of document suffixes. Users set the document directories and document types to be protected through the server management platform. The client protects the specified directories according to the policy, thereby preventing malicious user data. Delete or change the document suffix to bypass document encryption protection.

3.1.5   Content Security Control

Content security control is a document content security protection strategy. It is mainly used to protect user core data documents based on content security to prevent data users from copying, dragging, saving, inserting, connecting (networking) during the use of document content. ), Screenshots, risk of disclosure of file content.

Content security control policies include copy, drag, save, insert, connect (network), and screen capture control. Each control supports custom black and white lists. Users can flexibly configure content security control policies through the management platform. Customers can implement document content security based on security policies. Protection can achieve:

(1) The plaintext content can be copied to the ciphertext. The ciphertext content cannot be copied to the plaintext, and the ciphertext is not affected directly.

(2) The ciphertext is saved as any file type and encrypted.

(3) The plaintext cannot be inserted into the ciphertext object.

(4) When the application software reads the encrypted document, it is forbidden to transmit the content of the ciphertext document over the network.

QQ 、截屏键等应用软件进行截屏、录屏(显示黑屏)。 (5) It is forbidden to take screenshots or record screens (display black screen) through application software such as QQ and screenshot keys.

3.1.6   Print control

Print control is a document print control strategy, which is mainly used to prevent the risk of data leakage caused by the printing of user core data documents (encrypted documents).

The print control policy supports the control of virtual printers and physical printers. The user sets the print control policy through the server management platform. After it is turned on, the designated department or user cannot print encrypted documents. The physical print control supports custom black and white lists, which can realize trusted applications. Print encrypted documents.

3.1.7   Print watermark

IP 等信息)。 For users to print encrypted documents, add a document watermark as needed, which is mainly to facilitate the traceability and warning of document leakage events (document protection user name, IP and other information).

IP&MAC 、打印日期、用户信息,可自定义水印显示位置(全部显示或部分显示)、水印内容、水印深浅度、文字大小。 Support watermark and blind watermark. The watermark display position includes the center of the document, upper left corner, lower left corner, upper right corner, and lower right corner. The watermark content supports pictures or text information. The text information includes computer name, IP & MAC , print date, and user information. , Can customize the display position of the watermark (full or partial display), watermark content, watermark depth, text size.

3.1.8   Read watermark

It is used to add a document watermark as needed during the process of opening an encrypted document by a user, which is mainly to facilitate the traceback and warning of leak events caused by taking pictures with a mobile phone.

IP&MAC 、打印日期、用户信息,水印内容和显示位置支持自定义。 Support screen and document watermark format, watermark content includes computer name, IP & MAC , print date, user information, watermark content and display position support customization.

1 )屏幕水印 ( 1 ) Screen watermark

IP&MAC 、当前日期、用户信息,可自定义水印显示位置(全部显示或部分显示)、水印内容、水印深浅度、文字大小。 The watermark display position includes the center of the document, the upper left corner, the lower left corner, the upper right corner, and the lower right corner. The watermark content supports pictures or text information. The text information includes the computer name, IP & MAC , current date, and user information. Or partial display), watermark content, watermark depth, text size.

2 )文档水印 ( 2 ) Document watermark

The document watermark is displayed in the center of the document. The watermark information includes the company name, current date, and user information. You can customize the watermark information, display style (slant, horizontal), font size, and color.

3.1.9   Mail whitelist

OUTLOOK Foxmail )发送加密附件给指定用户自动解密,提供用户文档交互效率。 Mail whitelist belongs to a document decryption method, which is mainly used for file interaction between installed client users and non-installed client users, so that users can send encrypted attachments via mail clients ( OUTLOOK , Foxmail ) to designated users to automatically decrypt and provide users Document interaction efficiency.

The user sets the whitelist email address through the server management platform. The client automatically recognizes whether the recipient is a whitelisted user according to the email whitelisting policy issued, so that the whitelisted recipient ’s attachment is decrypted and sent, and ordinary users use cipher text. Send the attachment.

The mail whitelist supports destination address whitelist and source address whitelist.

1 )目的地址白名单 ( 1 ) Whitelist of destination addresses

When a user sends an encrypted attachment to a specified email address through a mail client, the attachment is automatically decrypted.

2 )源地址白名单 ( 2 ) White list of source addresses

Specify the user's email address. When sending encrypted attachments through a mail client, they are automatically decrypted before sending.

文件备份 3.1.10 File backup

File backup is a disaster tolerance protection mechanism provided by the system. It is mainly used in situations where some force majeure factors (such as virus damage, accidental power failure, storage freeze, and manual operation) may cause data to be abnormal or damaged, ensuring core data files. Integrity.

The user sets a file backup policy (backup according to the document type) through the management platform, and the client automatically completes the backup of the specified type of document according to the file backup policy.

The system supports local backup and remote backup, remote backup is the first full backup and subsequent incremental backup, supports custom backup cycle (day, week and month), local backup adopts cyclic rolling backup, supports backup early warning, and prompts when the hard disk is less than the specified space.

多密钥隔离 3.1.11 Multi-key isolation

A key-based permission control strategy is mainly used to solve the data isolation and control needs of users in different departments, such as:

1 )某一部门数据只允许指定部门查看,其他部门无法查看。 ( 1 ) The data of a certain department is only allowed to be viewed by other departments, but cannot be viewed by other departments.

2 )指定部门数据可以相互查看,其他部门无法查看。 ( 2 ) Data of designated departments can be viewed by each other, but not by other departments.

By flexibly configuring keys, one-way and two-way isolation of data between departments can be achieved.

The system provides two modes of smart key and active key.

In the smart key mode, when a user opens a document, the client automatically recognizes the user's key permissions based on the policy. Users with permission can use encrypted documents normally, but they cannot use it without permission.

Active key mode. When users open a document, they need to choose the corresponding key according to the department to which the document belongs in order to use the encrypted document normally.

进程签名 3.1.12 Process signature

It is used to verify the legality of system processes. The system generates unique identifiers of the processes according to the characteristics and attributes of the application processes and unique algorithms to prevent counterfeit processes from stealing encrypted document content or illegally tampering with legitimate processes to escape encryption protection.

The system supports manual and automatic signatures. After the user enables the signature, the client checks the validity of the process according to the security policy. When the legitimate application software starts, the process checks the validity of the process. The verification is performed through the cache to ensure compatibility and efficiency under security conditions), so that legitimate processes can open encrypted documents.

3.2     Smart encryption

Based on document content identification and transparent encryption technology, through intelligent identification of document content, automatic encryption of data files containing sensitive content is achieved, thereby solving the risk of data leakage during the life cycle of user core data assets during generation, storage, use, and transmission. ;

3.3     authority management

By encrypting and authorizing documents and corresponding roles, you can control the controlled use of documents internally to avoid the risk of disclosure caused by unauthorized use. Data authors can set the data transmission scope (users, departments, project groups, etc.) and viewing permissions (read-only, print, modify, read times, reading duration) according to the needs, and can also create permission templates according to the needs of the enterprise to batch documents Authorization.

3.4     Outbound management

By encrypting, authorizing, and encapsulating documents, we control the risk of disclosure of documents when they are transmitted and used externally. The data author can set the viewing permissions of the document (read-only, print, modify, read times, read duration) according to the needs. After the external users get the document, they need to pass the security identity authentication to view the data. Use data.

3.5     Application Security Gateway

Provide security for application systems through a combination of software and hardware integration. Application security gateways can provide application systems with double protection of security access and data encryption and decryption. Security access is through terminal identity identification, application system impersonation, transmission tunnel encryption, and terminal protection. Access logs and other aspects of the application data security access control, data encryption through the application system core data upload and decryption, download encryption, to solve the company's core data offline safe use.

3.6     Security middleware

Provide encryption and decryption capabilities for application systems in an interface manner. Application systems can choose encryption interfaces, decryption interfaces, process interfaces, etc. for joint development to integrate encryption and decryption with business systems to improve the confidentiality of application systems and ensure data Security. WebService 接口,不受协议和网络环境限制,只要应用系统具备二次开发能力,通过调用接口快速完成与第三方应用系统无缝对接。 The security middleware is based on the standard WebService interface, and is not limited by the protocol and network environment. As long as the application system has the secondary development capability, it can quickly complete the seamless connection with third-party application systems by calling the interface.

3.7     Intelligent mobile terminal

APP 安全服务,保证通过移动设备下载到客户端的加密数据可以正常查看,脱离受控范围无法使用。 Provide exclusive APP security services for smart mobile devices to ensure that encrypted data downloaded to the client through the mobile device can be viewed normally and cannot be used outside the controlled area. This module is generally used with transparent encryption, application security gateway or security middleware.

3.8     USB client

U 盘,合法用户可以根据需要将 U 盘插入任意电脑,即可打开和使用加密文档,无需连网加密服务器,无需携带办公电脑,主要适用于员工回家加班、出差等情况。 The transparent encryption client is embedded in the U disk. Legal users can insert the U disk into any computer as needed to open and use encrypted files. There is no need to connect to an encrypted server and no office computer. It is mainly suitable for employees who go home to work overtime and travel. And so on.

3.9     Full Text Search

The full-text retrieval system analyzes the content of documents in the process approval process (decryption process, outgoing process), establishes a document data index, and the log administrator can quickly query the processes and documents containing related content by entering the document keyword content. Realize the dynamic association and query of document attachments and processes.


© 2016 Guangzhou Mingchuang Network Technology Co., Ltd. All rights reserved Technical support: 35